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Abstract 


The Space Shuttle Reusable Solid Rocket Motor (RSRM) baseline is subject to various changes. 
Changes are necessary due to safety and quality improvements, environmental considerations, 
vendor changes, obsolescence issues, etc. The RSRM program has a goal to test changes on full- 
scale static test motors prior to flight due to the unique RSRM operating environment. Each 
static test motor incorporates several significant changes and numerous minor changes. Flight 
motors often implement multiple changes simultaneously. While each change is individually 
verified and assessed, the potential for changes to interact constitutes additional hidden risk. 
Mitigating this risk depends upon identification of potential interactions. Therefore, the ATK 
Thiokol Propulsion System Safety organization initiated the use of a risk interaction matrix to 
identify potential interactions that compound risk. Identifying risk interactions supports flight 
and test motor decisions. Uncovering hidden risks of a full-scale static test motor gives a broader 
perspective of the changes being tested. This broader perspective compels the program to focus 
on solutions for implementing RSRM changes with minimal/mitigated risk. This paper discusses 
use of a change risk interaction matrix to identify test challenges and uncover hidden risks to the 
RSRM program. 


Introduction 


ATK Thiokol Propulsion, a division of ATK Aerospace Company Inc., produces the Space 
Shuttle Reusable Solid Rocket Motor (RSRM). The RSRM is the largest human-rated solid 
rocket motor ever flown and the only booster capable of recovery and reuse. Developed for 
NASA by Thiokol in the mid- 1 970’ s, the solid rocket motor was successfully static tested on 
July 18, 1977. During the first 122 seconds of each Space Shuttle flight, the two RSRMs provide 
80 percent of the liftoff thrust needed to accelerate the Shuttle to a speed of 3,094 miles per hour 
before separating from the orbiter and external tank at an altitude of 24 nautical miles. Nearly 
seven minutes after separation, the spent boosters parachute into the Atlantic Ocean 
approximately 140 nautical miles downrange from Kennedy Space Center. The recovered 
boosters are disassembled in Florida and returned to ATK Thiokol Propulsion’s Component 
Refurbishment Work Center in Utah, where the metal components are refurbished for future 
Space Shuttle flights. 

Following the Space Shuttle Challenger accident in 1986 the solid rocket motor underwent a 
major redesign effort. For the two plus years following the Challenger accident, one of the most 
extensive efforts for any system was undertaken to identify, understand and control risk 
associated with the solid rocket motor. System Safety risk assessments for the redesigned rocket 
motor began at the initial design inception stage and matured as the best design was selected, 
analyzed and tested in preparation for flight. The established baseline motor design with the 
respective subsystems, components, parts and materials were analyzed extensively. System 
Safety analyses and tools were implemented to assure that hazards and associated risks were 



identified, understood, mitigated to the extent possible, controlled to an acceptable level and 
communicated within Thiokol and to NASA. The RSRM Fault Tree Analysis, Hazard Analyses, 
Failure Modes and Effects Analysis/Critical Items List (FMEA/CIL) and the Certificate of 
Qualification (COQ) were the foundation for risk identification, mitigation, control and the 
establishment of baseline risk. The baseline risk was communicated by “. . . the documentation of 
System Safety and reliability analyses, [which] were reviewed, critiqued and approved by all 
levels of technical management at Thiokol and at NASA assuring an understanding and 
appropriate mitigation of risk.” (ref. 1) Verification of the RSRM baseline was accomplished by 
extensive testing to verify design and analytical work. “With all of the testing and analyses 
completed previous to the first flight of the new RSRM in the fall of 1988, confidence was high 
that the optimum design had been achieved.” (ref. 1) Continued “[safe] and reliable hardware 
performance is of supreme importance. This includes safety issues affecting the general public, 
flight crews, ground crews, manufacturing personnel, flight assets, and ground assets.” (ref. 2) 
Therefore, identifying and appropriately addressing changes in risk to the RSRM is an ongoing 
endeavor. 

Only the metal components of the “reusable” solid rocket motor are refurbished and reused. 
Each flight is a verification of the design, materials and processes. Any change from the baseline 
(flight proven) design, materials or processes equates to some change in flight risk due to no 
flight history. Nearly 15 years have passed since the initial establishment of the baseline design 
of the redesigned Space Shuttle RSRM and subsequent first flight. During these 15 years, 
numerous processing, material and design changes have been implemented. Changes were, and 
continue to be necessary due to safety and quality improvements, environmental considerations, 
vendor changes, material obsolescence issues, post-flight observations, etc. In order to minimize 
the risks associated with changes from the successful baseline, the RSRM program has 
established a goal to “test before fly”, that is, to test any RSRM change on at least one full-scale 
static test motor prior to flight implementation. Full-scale static tests are conducted 
approximately once a year. Therefore, each static test motor typically incorporates several 
significant changes and numerous minor changes. 

In connection with the “test before fly” goal, it is essential for the program to fully evaluate the 
relative change in risk associated with each RSRM change. The system safety discipline has the 
responsibility to identify, assess and communicate the relative risk associated with each change 
made to the RSRM. Relative change in risk for a specific test or flight motor becomes more 
difficult to identify and assess when multiple changes from the baseline materials, processes or 
design are simultaneously implemented. Each individual change necessitates a risk assessment 
specific to that change. However, the change specific risk assessment could miss hidden risks 
due to concurrent implementation of multiple changes. Changes to materials, processes or design 
have the potential to negatively interact. In order to fulfill the responsibility to fully assess and 
identify risk associated with RSRM static test and flight motors, a risk interaction matrix is used 
to assure all changes from baseline are assessed for potential change interactions. A regimented 
review of the potential risk, from interacting changes, assures that any change in risk or any new 
risk is understood and that appropriate controls have been or can be employed to mitigate risk to 
an acceptable level prior to approving the change. 

Changes to the RSRM Baseline 

Changes to the RSRM baseline may be in the form of intentional or unintentional changes. 
Intentional changes are those requested through Engineering Change Proposals (ECP), 
manufacturing process Operation Change Requests (OCR), or Supplier Operations Change 



Requests (SOCR). Changes to the baseline design or process are often proposed as continuous 
improvement or risk reduction efforts. Even so, they must begin with carefully weighing the 
potential effects of each change. In the baseline RSRM Flight Systems Hazard Reports, eleven 
of the “accepted risk” hazard causes have been identified as potential candidates for changes to 
reduce risk. (ref. 3). Implementing changes on a tried and proven system necessitates careful 
consideration. “While there has been a desire to implement changes for performance 
improvements and a need to replace materials that have become obsolete, the robust design, 
completion of rigorous testing and flight success of the RSRM has resulted in a wise reluctance 
to make changes. Improvement initiatives and overcoming obsolescence roadblocks are weighed 
against the reluctance to change with careful comparison and evaluation.” (ref. 1) 

Prior to the approval of any planned change affecting flight hardware or change to baseline 
hardware or processes through a discrepant condition, a thorough risk assessment is completed. 
Changes to processing equipment, tooling, facilities or support materials that are considered to be 
associated with flight hardware and/or materials are regard as significant and require a risk 
assessment prior to approval of each change. In accordance with NASA requirements, “Changes 
in any RSRM equipment design or Thiokol applicable procedures receive the same review and 
assessment as that conducted for the original equipment and where applicable updates the 
hazards analysis.” (ref. 4). To provide this “same review and assessment” as required, system 
safety tools are utilized to evaluate each proposed change. This evaluation weighs the effects of 
the change(s) and assures that implementation will not create a negative impact on the applicable 
component or associated system. The review and assessment of individual changes includes a 
comparison to the applicable baseline hazard analysis and accompanying risk matrix and Fault 
Tree Analysis, the COQ and the FMEA/CIL. The required system safety risk assessments 
accompany each proposed change to communicate the level of risk involved to the various 
Thiokol and NASA review boards. 

System Safety Assessment Sheets are required to accompany each change to RSRM design or 
manufacturing processes whether they are a new design/process or a modification to an existing 
one. Each change is evaluated against the following risk criteria for baseline Hazard Reports and 
FMEA/CILs. 

Does the change: 

a) Introduce any new hazards/failure modes or hazard causes/failure causes? 

b) Eliminate, adversely affect, or invalidate any hazard controls, verification data, or 
CEL retention rationale? 

c) Reduce a margin of safety for any RSRM component? 

d) Change the criticality category assignment? 

e) Require an adverse (increase in severity or in probability) change to the NSTS 
22254, risk matrix classification of a hazard cause? 

If any of these questions are answered “yes” a risk change document Change Notice (CN) to the 
baseline Hazard Report and/or FMEA/CIL may be required. Such a change also requires review 
and approval by Thiokol and NASA Level HI (Marshall Space Flight Center, Project), 
Configuration Control Boards and presentation to the NASA Level El System Safety Review 
Panel (SSRP), along with a Change Request (CR) to the NASA Program Requirements Control 
Board (PRCB). The thoroughness with which Thiokol and NASA review changes ensures all 
RSRM related issues are properly “screened” against program risk criteria and that there is an 
awareness and understanding of any significant change in risk. (ref. 5) 



Unintentional changes are those that result from discrepant hardware conditions or process 
deviations as addressed on Discrepancy Reports (DRs). Discrepancies, by definition, are a 
change from the baseline that must be assessed. A determination of criticality for each 
discrepancy is made as an initial risk assessment. Those that are determined to be an 
insignificant increase in risk may be approved and closed out in a Material Review Board (MRB) 
meeting. Discrepancies that are determined to constitute an increase in risk are provided with a 
formal System Safety Risk Assessment and sent on for further review by the Senior Material 
Review Board (SrMRB). Issues addressed by SrMRB are discussed again as a topic in the 
Certification of Flight Readiness (CoFR) process. 

Testing of Changes to Baseline 

Testing all changes made to the RSRM is a goal of the RSRM Program. Changes to 
configuration and changes to processes are to be tested on full-scale static test motors. 
Occasionally there are changes that need to be made without the opportunity to complete full- 
scale static testing. Those changes that will be implemented and will not be tested on a full-scale 
static test motor prior to first flight must be approved by a NASA Level III (Marshall Space 
Flight Center, RSRM Project) Configuration Control Board Directive (CCBD) and by a Level II 
(Johnson Space Center, Space Shuttle Program) Program Requirements Control Board Directive 
(PRCBD). For those changes that are scheduled for flight without a previous static test, 
sufficient rationale must be provided showing the testing and analyses that justify an acceptable 
level of risk. 

Most changes are tested on full-scale static test motors prior to their first flight. In many 
respects, a full-scale RSRM static test motor is treated in the same way as flight motors. “System 
Safety performs hazard analyses for the major tests to be performed on the RSRM development 
and qualification program. The applicable major tests include all full-scale static test motors 
(both test evaluation motor (TEM) and flight support motor (FSM)).” (ref. 4) System Safety 
assesses engineering changes (ECSs/ECPs), process changes (OCRs), discrepancy reports (DRs), 
and other unique issues applicable to each static test configuration and test objectives. Every 
new configuration, process and material has inherent risk due to the lack of history. However, 
Design and Manufacturing Engineering have minimized risk based on design features, test data, 
analyses, and inspections. The focus of a system safety assessment is on aspects unique to the 
particular test when compared to the flight configuration or test motors previously fired, (ref. 6) 

Due to the nature and cost of full-scale RSRM static tests, it is necessary to test a number of 
changes on each test motor. Because of the high number of change items/test objectives on many 
test motors, some form of assessing the potential interaction of changes is needed. 

Identifying the Hidden Risks of Change Interactions 

As previously mentioned, System Safety personnel assess the qualitative risk of all individual 
motor changes, discrepancies and technical issues per NASA requirements documented in NSTS 
22254 (ref. 5), NSTS 22206 (ref. 7) and ATK Thiokol Propulsion requirements documented in 
TWR-15902 (ref. 4) and department Organization Operating Instructions (ref. 8). The potential 
for the negative interaction of multiple changes being tested on RSRM static test motors 
necessitates an effort to identify possible increases in risk. The result of an interaction between 
changes can range from benign to compounding risk requiring mitigating action. To reduce the 
likelihood of an unacceptable or high-risk interaction, ATK Thiokol Propulsion developed and 
uses a System Safety Risk Interaction Matrix (SSRIM). The methodology is similar to that used 



by other projects and disciplines that typically use an interaction matrix to assess design or 
technical interaction potential. The SSRIM is a tool that systematically crosschecks all unique 
features or issues associated with a flight/test motor to identify items that could interact with 
other new motor features. The identification of two or more items interacting with each other 
initiates the process to assess the potential of compounding risk. This matrix is a non-contractual 
tool used by the System Safety organization, providing a “second-look” at changes/features 
associated with a particular motor. It is used as part of the test article hazard analysis and 
supports the requirement to report overall risk to ATK Thiokol Propulsion and NASA 
management. Flight motors are assessed in a like manner. 

Items assessed for test motors and flight motors include: 


Test Motors 

• Test objectives - engineering and process 
changes 

• Test readiness review technical issues 

• SrMRB nonconformance’s 


• Pre-existing issues, i.e., active problem 
assessment system items, Contract End 
Item waivers/deviations, significant 
“closed by explanation” issues, and wide 
spread minor waivers 

• Significant test facility changes 


Flight Motors 

Engineering and process changes 

Certification of Flight Readiness (CoFR) 
review technical issues 
SrMRB nonconformance’s, including 
Kennedy Space Center (KSC) problem 
reports 

Pre-existing issues, i.e., active problem 
assessment system items. Contract End 
Item waivers/deviations, significant 
“closed by explanation” issues, and wide 
spread minor waivers 
Significant KSC motor processing and 
facility changes 


A change is not carried on subsequent SSRIM once the change is approved and baselined for 
RSRM flight or test motors. Issues closed by corrective action(s) are not carried on subsequent 
SSREM. Issues closed by explanation, and that have applicability to the flight or test motors, will 
continue to be assessed using the SSRIM. 


Timing for conducting the SSREM coincides with the Configuration Control Board baselining of 
test motors with a preliminary SSRIM. The final SSRIM assessments are completed for the Test 
Readiness Reviews (TRR). Flight motor assessments support the CoFR review process. Final 
motor processing flow, following the above-mentioned reviews, may require a matrix update 
pending any applicable issues. 


System Safety Risk Interaction Matrix Methodology: System Safety uses a matrix, such as seen 
in Figure 1, to systematically crosscheck each applicable item that changes the motor baseline, 
against one another for compounding risk consideration. All items/issues are listed for 
assessment in the matrix. The assessment results are recorded in the space at the intersection of 
two items. The assessment of risk is made with results noted using an alpha character as defined: 

O: No issue 

I: Inter-related, no significant or no change in risk 

J: Justification in place for potential compounding risk 

R: Potential compounding risk, additional rationale required 



System Safety judgment is used to determine assessment results. This judgment takes into 
account criticality, change verification data, test usage rationale, performance history and 
technical experience. The likelihood of occurrence and severity of interaction are judged 
qualitatively when assigning interaction results. Any items marked with an “R” and determined 
to have a potential of compounding risk are communicated immediately with applicable 
component teams including design engineering, manufacturing, quality engineering, etc., in order 
to mitigate the risk or eliminate the proposed change. 

Motor SSRIM Results: Results from the potential compounding risk assessment of change 
interactions are noted in the Risk Interaction Matrix. The overall assessment and conclusions are 
presented to the ATK Thiokol Propulsion and NASA RSRM TRR and/or CoFR Boards per 
appropriate review schedules. The test motor SSRIM results are documented in each test motor 
System Safety Review Report, (ref. 8) Flight motor SSRIM results are documented in the CoFR 
presentation packages. 
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Figure 1. Risk Interaction Matrix Shell/Example 

The RSRM program has realized benefits from utilization of the risk interaction matrix. For 
example, an upcoming test motor will incorporate a larger nozzle throat diameter by reducing the 
thickness of the nozzle ablative throat ring. Another proposed objective for the test motor will 
gather thermal data by implanting thermocouples in the nozzle exit cone liner in four axial 
locations. Each change carried its own level of risk that could be justified. However, the risk 
interaction matrix identified the potential of changing the erosion characteristics of the nozzle 
ablative liners downstream of the throat ring to interact with the method used to implant the 
thermocouples. This interaction drove an in-depth evaluation, which resulted in the elimination 
of the higher risk thermocouples. 


Conclusion 


The effort to put man into space using rocket motors has, and always will have, significant 
inherent risks. Knowing, understanding and controlling those risks are of the utmost importance 
to ATK Thiokol Propulsion and to NASA. RSRM risks have been analyzed providing current 
baseline documentation of what the risks have been and what they presently are. While the 
intent is to stay as close to the current baseline as possible, changes to the RSRM are 
accomplished to provide performance improvements as well as to replace materials that have 
become obsolete. All changes, including improvement initiatives and the replacements for 




obsolescent materials, are evaluated carefully through the perspective of various disciplines. The 
system safety discipline assesses each change individually to identify any change in risk. The 
individual change review is not complete without the additional risk interaction matrix review. 
The risk interaction matrix provides the finishing touch for assessing potential risk issues for 
each flight or test motor. A complete risk assessment assures that any change in risk or any new 
risk is understood and that appropriate mitigation efforts have been employed to control risk to 
an acceptable level. 
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